Just out of curiosity, I think it’s up to lawyers to answer this but consider below scenario:

Let’s say I go to office and one of my coworkers realizes I have definite signs of Coronavirus! She starts to spread the words and soon everybody knows I am infected…`

Now, the way she handled the situation, my personal health information was shared and exposed … everyone knows I have this certain medical condition. She could have come to me (well, would you?) and advise me to go home, and hope that I go, and then discuss my condition privately with HR? what if I didn’t leave the office, what if she didn’t tell everybody? All my colleagues would be exposed to disease and this could even turn to a disaster and push office to shutdown for 2 weeks and huge impact on business!

But what about my privacy? I could have had my treatment privately and come back to office after 2 weeks, but now, everybody probably is going to avoid me and all meetings I am involved are canceled, nobody wants to be near me!

Did she violate HIPAA privacy rule, or she just saved the company from a disaster? What would be the best course of action?

Just out of curiosity, I think it’s up to lawyers to answer this but consider below scenario:

Let’s say I go to office and one of my coworkers realizes I have definite signs of Coronavirus! She starts to spread the words and soon everybody knows I am infected…`

Now, the way she handled the situation, my personal health information was shared and exposed … everyone knows I have this certain medical condition. She could have come to me (well, would you?) and advise me to go home, and hope that I go, and then discuss my condition privately with HR? what if I didn’t leave the office, what if she didn’t tell everybody? All my colleagues would be exposed to disease and this could even turn to a disaster and push office to shutdown for 2 weeks and huge impact on business!

But what about my privacy? I could have had my treatment privately and come back to office after 2 weeks, but now, everybody probably is going to avoid me and all meetings I am involved are canceled, nobody wants to be near me!

Did she violate HIPAA privacy rule, or she just saved the company from a disaster? What would be the best course of action?

Wow, this is loaded. First, if one employees realizes that you have symptoms of a specific disease, are you jumping to the conclusion that others would not also arrive at the same conclusion. Second, if you do have a disease such as Coronavirus, why are you showing up some place that you could infect others.

Based on your scenario, anyone that suggests that I stay away from a person that has a cold or flu, may have broken a law or are they just watching out for my well-being? I think (MHOO) they may be looking after my health.

I suggest that your example may be invalid. Had you said that you have Cancer and the person relates that information to others, they may in fact be in violation of certain laws.

I am not as familiar with HIPAA as some others here, but my understanding is that it relates to patient data (administratively, physcially and technically ) or are they your direct supervisor?. If not a patient and they are not your direct supervisor, they may have broken some other law but I don't think HIPAA is the right one maybe under Human Rights.

In Canada, as a supervisor, I am not allowed to ask questions about a person's health (that information is private and can only be requested by the Medical department (if there is one) or the Insurance company paying them). So if one of my employees is off on leave, they only have to provide a doctor's note stating they are under the care of a physician and they will not be at work. I am not allowed to know the diagnosis.

In your case, you mention specifically that there are outward signs of illness. In this case, as your supervisor, I would immediately send you home. I would also alert my medical department (if there was one) and also HR.

The intent of HIPAA in the workplace is to protect employees from sharing health information and disclosing information with people who do not legally need to know that information.

But as you say, the lawyers are probably better placed to answer this question and what law, they may or may not have broken.

If someone were to sell your personal information you'd have a violation of privacy. Selling personal health records is punishable by up to 100,000 per charge and/or 10 years in prison. The HIPAA Omnibus of 2013 goes into great detail on the subject if you wish to bone up on the subject. Also keep in mind your health record is worth 100-175 plus dollars on the black market where a credit card can be had for as little as 25 cents.

In the scenario you outline having Corvid-19 is being a threat to public health well before you feel as though your privacy has been violated. In this case the idea or "fact" that you carry a potentially deadly disease weighs much more heavily than your personal privacy and takes legal precedent. Your going to the hospital of someone else's choice for quarantine and appropriate treatment.

Your privacy ends at public health. Your name may not be published or otherwise distributed by those familiar or the media. Your privacy simply ends once diagnosed with any infectious disease due to public health and safety. End of story.

Now, your individual co-workers could still be obnoxious enough to bring extra attention to themselves while finding themselves in quarantine next to you as well. Hey, what's good for the goose is good for the gander and all. So there really wouldn't be much use in telling people they are now infamously exposed to a potential pathogen is there?

At the point, that your manager or employer or Human Resources suspects that you have Coronavirus, is a notifiable condition. Which the Human Resources and Medical Staff have a duty of care and principally responsibilities for the health of others.

It is literally out of your hands, once it becomes a notifiable condition - it passes into the Health Professionals responsibilities, who will be required to take action quickly and efficiently, even if they are not prepared for such a situation. More likely they will go into melt down mode, due to being unprepared, which will then cause company concerns, as to who was last in the vicinity of that person and how they traveled to work or back home or whether they came by their own car.

It will be up to Human Resources and the company medical staff to handle the situation to the remaining concerned employees, wondering whether or not they themselves should go into 14 days of quarantine as well.

I think in unprepared countries, it is more likely to cause panic and a great deal of concern, and concerns about privacy will only arise, after the immediate issues has been recognised retrospectively.

folks, don't treat me like I am having really Coronavirus that's just an example. I would like to see what would be a "professional" reaction to something that can happen anytime within any organization. by the way, HIPAA is violated even if someone discuss patient condition with no justification. you don't really need to just Sell PHI to violate HIPAA (privacy) rule.

@Kaveh Just reviewing your scenario you painted, however, there is a whole bunch of professional principles, that each health professional by profession have to carry out despite HIPAA's edicts. They sign an Oath to follow those ethics whether they are Medical Practitioners or Veterinary Practitioners, they follow very similar sets of principles, which they can reviewed or in the worst case struck off the register, if they do not comply.

At the core of it, the health and protection of the individual and those around is paramount.

However, given any contagious situation, with a notifiable situation or emergency - then often these override immediate legislation and emergency powers including those of health and safety of others becomes the immediate concern. Legislation may catch up later, on but the immediate issues is the health & safety of the individual at that point in time, to prevent contagion given the example provided.

@Kaveh I agree, having seen employees suddenly go down very quickly cancer within weeks of diagnosis. This is a different scenario altogether. Also sudden unexpected heart attack, whilst cycling and unable to resuscitate, would also fall outside of the contagious infection issue.

Social Media

All contents of this site constitute the property of (ISC)², Inc. and may not be copied, reproduced or distributed without prior written permission. (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered certification marks of (ISC)², Inc.